OnPoint by Keith Ng


The Gift that Keeps on Making Me Barf

Last week, we saw the first indication that the NSA & friends have developed "groundbreaking cryptanalytic capabilities". This week, we found out exactly what that means. Basically, the keys that major companies use to encrypt their traffic have been stolen or weakened with flaws; backdoors have been put into products and networks; this is sometimes done with the willing cooperation of companies, sometimes with coerced cooperation, and other times, without their knowledge at all.

To draw an analogy: They haven't yet figured out how to picked the locks on your door, but they've managed to steal keys, to open windows, and to make your locksmith install dodgy locks. Of course, once they've done this, they're not the only ones who can climb through those windows and break those dodgy locks.

This why the news is significant: Not only does their mass survelliance system reach deep into secure systems used by everyone, they've also worked with industry to seed security holes throughout the entire system. It is an utter nightmare - these systems are the basis for "e-commerce", or as we call it these days, "commerce". Not only can we not trust the systems, we can't trust the people who build the systems.

This is a huge deal.

However, despite this being framed as a breach of encryption, the actual process of encryption (the actual "lock") hasn't been broken. What this has really shown is that if you want security, there is no alternative to doing it yourself and verifying it yourself.

Part 3: Verifying Keys

So there's a public key on my page. How do you know that's *my* key? Anyone could have created that key, just like I created the John PGPKey key. For all you know, some Russian hacker could have taken over Public Address and put that key there.

As a first step, you should look up my key. My key is published, so you can go to this keyserver and look up it up using my name.

The second one looks like me. Which is nice, but doesn't mean much - that could be faked too. You can check the fingerprint against the one I have on my twitter profile and the one I have on my Public Address page.

They match up! This means the person who created the key also controls my Twitter and Public Address accounts. But what if both those things were hacked? Last year, Wired writer Mat Honan got hacked - from his Amazon account, they got his credit card number; with his credit card number, they got his Apple account and his Apple email; with his email, they got EVERYTHING, and remotely wiped both his computer and his phone.

Now we move on to the next step: Little further down, we see Idiot/Savant. He has signed my key, which means that he has used his key to vouch for my key. We can check I/S's key fingerprint against the fingerprint on his Twitter bio. That can be hacked as well, of course, but it means that the hacker would have to hack both our accounts, as well as Public Address and No Right Turn.

The thing that makes signed keys special is that those signatures can't be changed. If I make up a new key, those signatures have to be renewed.

If you met I/S and verified his key, then that takes you one step closer: You know that his key is not faked, therefore you can be more confident that my key is not faked.

(I'll be organising a key-signing party at some stage, which is why I haven't talked about key signing. Also, I'm on a bus to Warkworth.)


BTW, the NZ Police can use PRISM against you now

So, "GCSB assistance" is basically "NSA assistance", so when the Police asks for GCSB help, it's actually getting NSA help.

I buried the shit out of that lead last time. The only reason it didn't die there was that Juha Saarinen picked up the significance of the GCSB-NSA link and wrote about it. From there, the news made it on to Ars Technica, which got Slashdotted/Reddited/tweeted by Greenwald, which made me realise that, perhaps, this was news after all.

And that, perhaps, I shouldn't have put it in a throwaway line. Half way down a post about PGP keys. Made at 5pm. On the day Shearer resigned. After the GCSB bill passed.

Basically: I am the worst at newsing. Soz.

Partly, I figured that people already knew: David Fisher, on the back of the same documents, implied the same things two months ago. And partly, being the pessimistic apocalyptist that I am, I was already on "Depression", and forgot that everyone else was still on "Anger".

It also highlights how these stories (PRISM, GCSB etc.) work. Not only are they inherently complex and difficult to understand, but because there's so much of it coming out in so many pieces, it's really hard to know what "everyone knows". The fact that something is in the public domain, or even has been reported, doesn't mean that it's a part of the public discourse.

Now, we return you to your homework.

Part Two: Signing/Verifying Keys

This is part of a multi-part series on security, aimed at journalists but useful for anyone. They are intended to get you comfortable with the tools and help you understand the principles being them. These are short, easy learning exercises - *DO NOT use them to store or transmit sensitive information yet*. They are only effective one you understand all the layers and can put them together. 

Let's say I send you an email, encrypted using your public key. I know who you are, because only you can decrypt that message. But how do you know who I am?

The magic of public-private keys is that they work both ways. When we encrypt messages, we use a public key to encrypt it, then a private key to decrypt it. "Signing" a message is doing the reverse. You're creating an encrypted signature using your private key, which can then be decrypted using the public key. This way, anyone can use your public key to verify that it was sent by someone with your private key (which is hopefully you).

This message was signed with my key, so you'll need to have my public key to verify it (if you don't know how, go back and read part 1). To verify the message, copy and paste the whole thing into gpg4usb, then click Verify. The green message should pop appear down the bottom.

Every signature is unique because it's generated using the private key AND the message itself. If you change the message - even a single character - then the signature will be invalid. Try it!

You can sign your own messages by writing it normally, then selecting your private key and clicking the "Sign" button. Do this last, because making any changes to the message will break the signature. After this, you can encrypt your message like you would normally - the signature will get encrypted as well.

Now you know how to sign messages to prove that you were the one who wrote it - and not some hacker who's gotten into your email.

Next chapter: Publishing keys.


Ich bin ein Cyberpunk

Welcome to your sudden but inevitable future of ubiquitous surveillance.

To an extent, I appreciate the arguments made by supporters of the GCSB Bill - it's not really a huge encroachment of mass surveillance powers, it is, mostly, just the formalisation of mass surveillance powers that have been encroaching for a decade. We are not fucked off because of the bill itself, really, but because we've finally been forced to pay attention to the barftastic overreach of state surveillance that's been happening around us.

At least, that's true for me. Thanks to the GCSB Bill, I finally got around to reading the Kim Dotcom affidavits. It's the best example we have of how "GCSB assistance" is actually rendered. The Police asked the GCSB for help in a one-page request (page 13 of this):

Once the GCSB's lawyer had a look at it, the Police provided a list of "selectors" to the GCSB (we now know from the PRISM documents that "selectors" is the term used to describe the search terms used to make PRISM requests):

The selectors were entered into █████, in an email classified as "SECRET//COMINT//REL TO NZL, AUS, CAN, GBR, USA". In other words, the selectors were entered into a secret communications intelligence system, and this secret system was considered related to Five Eyes:

The email from the GCSB then described "traffic volume from these selectors": i.e. This secret system was capturing live traffic.

This is consistent with everything that we know about PRISM. Key has refused to comment on this.

What does this mean? It means that GCSB assistance is NSA assistance. It means that government agencies can tap into these powers as part of bread-and-butter law enforcement. Through the Bradley Ambrose case, we've seen that the Police are willing to use the full extent of their powers for entirely bullshit cases. Combine the two, and it makes me very, very queasy.

I ended my post in May with "we need to start by getting really, really fucked off". What is step two? Fortunately, there is a 25-year-old answer to this question: Encrypt everything.

Over the next however long it's going to take me, I'm going to be doing short posts on how to secretfy your stuff. Today's post is on encrypting text using public-key encryption.

Public-key Encryption (the uber-short version)

This technique is based on a pair of matching keys - one public, one private. Anything encrypted with one can only be decrypted with the other. Why? MATHS, that's why. The public key is then made public (my key is here), and anyone can use that key to encrypt a messsage. Only you - with the private key that you keep secret - can decrypt that message.

It's actually not that hard. The simplest tool for dealing with PGP keys is gpg4usb. Go download it and have a play. Purely for testing purposes, here is the public AND private keys for "John PGPKey" (right click on the link --> "Save link as.." to save the file). Open up gpg4usb and use the menu bar: Keys --> Import Key from.. --> File.

Select the .asc file you just downloaded. You can now use John PGPKey's private and public keys.

(Just to reiterate, this is for testing purposes only - you should NEVER put your real private key on the internet.)

Here is a message that's been encrypted using John PGPKey's public key. Open it up and copy and paste the garbled text into gpg4usb (including the BEGIN PGP MESSAGE and END PGP MESSAGE lines). Click on the "Decrypt" button. It'll ask you for a passphrase, which is "spicy panopticon in a dunnenad sauce" (this is a more reliable guide to making secure passphrases than your IT department).

(And no, you should not be putting the passphrases for your real private key on the internet, either. NOTE: Apologies if this didn't work before, I posted the wrong version of the key I was faffing around with.)

Enter the passphrase and BAM - you've decrypted a message! (If you haven't, check that you've copied the whole message, and check that you typed in the password properly.)

Now, to encrypt a message, just type things into the text box, select the key you want to encrypt with, and click on the "Encrypt" button. Pretty goddamn easy.

To create your own key, open up Keys --> Manage Keys. From the Key Management window, open up Key --> Generate Key. Fill out the boxes and go. You can export the public key and put it somewhere public - but let's not actually do that yet, until we have a way of securing your private key.

In the next part, we'll talk about publishing keys, verifying keys, signing with keys.


Government Portfolios for Dummies

These are all the Briefings for Incoming Ministers I could get my hands on. They've been cleaned, sorted and fed to DocumentCloud, which scans and OCRs them automatically.

These documents are given to Ministers as introductory papers to their new portfolios. They cover the scope of their portfolio (i.e. What they should be doing), the assets they have under them (i.e. The Department/Ministry, its organisation and key people) and key issues in that particular portfolio.

They really are excellent primers on most aspects of government. You can, of course, use this cache to get some quick background about a particular portfolio, but also use the internal search functions to find specific areas of responsibility or specific issues.

Here you go, in case you missed the link up there. There are more advanced features in DocumentCloud, such as entity analysis and automatic generation of timelines. If you want to take a crack at it, let me know (message me below) and I'll hook you up with an account.


This is an experiment for two things:

1) Providing resources as a form of data journalism. Is this useful? Are you going to do anything with it? Drop me a line if you actually use this for something - I'd love to know.

2) Keeping better government data better than the government. Because why not. The Govt hasn't updated theirs since 2008, and heaps of the links are broken, PDFs are scanned and not searchable, etc. This took me most of the afternoon - it's not hard, and should be quite easy to add to and maintain (this was just the first grab - I'll fill in the gaps later).


Quickfisk: Youth Unemployment

Somehow I got entangled in a Twitter three-way between Hooton, Rob Hosking and #heyclint over youth unemployment figures today, and my 2 Degree 3G was crapping out on me again, so I was in the Twitter-equivalent of a vegetative state, watching them fight around me.

I haven't been following this, so I don't really know what HORRIBLE RIGHTWING LIES Hooton has been telling, but Rob brought out this graph which piqued my curiosity. 

The chart on the right really does seem to show that youth unemployment - although well above OECD average - is going down. Does it?

Spoiler: No.

In the spirit of quickfisking, I'll just get to the point. Here is the unemployment rate for youth (the blue line) vs adults (the red line). Note that the 25-54 age group is the "prime" working age used by OECD for its youth/adult ratio.


First off: It's pretty hard to see the good news in this. I don't blame National for the GFC, but it's impossible to look at this and suggest that National has made a dent in the problem. Unemployment is as bad as it's been since the GFC hit.

So how does this gel with a decreasing youth/adult unemployment ratio? It's just simple arithmetics. Since its lowest point in 2007, adult unemployment went from 2.6% to 5.3% - a 104% increase. Youth unemployment went from 10% in 2007 to 17.3% - a mere 73% increase. 

The upshot is that the youth/adult unemployment ratio is closing because adult unemployment has risen faster than youth unemployment, which hasn't fallen at all. It is nothing to gloat about.

Here is the data.